Legal Brief: Communication Is Key to Security Compliance

When it comes to compliance, IT departments that don't communicate with other business units are doomed to failure. Consider the following situation, which I've seen happen several times:

Marketing Division A asks IT for the e-mail addresses of customers who've shown interest in a product by registering on the company Web site. IT complies, and Division A launches an e-mail marketing campaign. Problem is, the Web site is run by Division B, which had posted a statement on the registration page promising e-mail addresses would never be shared. The result: an unintentional privacy violation.

Clearly, someone needs to be looking at the big privacy and security compliance picture.

IT has a role to play in three major components to privacy and security compliance: corporate policies, assessment and implementation, and training. But IT also must accept the roles other divisions will play in areas typically within its domain.

» CORPORATE POLICIES: Do not underestimate the importance of written policies addressing data-protection issues. Security policies, HR policies, privacy policies for internal and customer data, document-disposal policies, security breach policies--all are necessary as part of corporatewide training programs and to establish compliance baselines. They'll also prove essential in defending your company should it be accused of a legal violation. Collaborate with other divisions, such as HR, to create policies that govern IT functions that touch on security and compliance, such as disclosure of employee monitoring.» ASSESSMENT AND IMPLEMENTATION: For IT, this step generally involves evaluating and deploying security products and systems. However, understand that security is, fundamentally, a legal issue. If company counsel asks to review internal security audits, or even requests a third-party audit, don't take it personally. Should the company's data-protection practices come under scrutiny, a third-party audit and appropriate corporate response to any weaknesses uncovered may be invaluable in establishing that the company understood its security obligations and took reasonable steps to comply. Thus, legal must also work with IT to determine which fixes to implement. Perhaps of more interest, legal may become a strong advocate for increased security budget, personnel and other resources.

What if a security breach occurs? IT will be indispensable in locking down the systems, then determining the extent of the breach, data compromised and source of the attack. But the organization's response must include analysis of whether any data-breach-notification, consumer-protection or other laws are implicated; the appropriate corporate response, including legal and business considerations; and how the breach occurred and what measures to implement to prevent future attacks.

» TRAINING: For IT, training must go beyond technology to an understanding of how data protection impacts an organization. For example, in my experience, more than one client has found that IT notified the local police regarding a break-in that resulted in theft of computer equipment, without understanding how the theft could impact security-breach notification laws and without giving the company the opportunity to analyze and respond to the theft in light of the business, PR and legal issues.

IT's role is evolving, from a contained corporate function to a vital component of corporatewide compliance. To meet this challenge, IT groups should participate with all of an organization's relevant divisions in setting corporate policies to protect data, and in training personnel on those policies and their importance.

True compliance will only happen, however, with open cooperation and collaboration. Technology is important, but communication is key to protecting data, creating accurate and relevant policies, and meeting business and legal needs. Never forget the human factor.Justine Young Gottshall is a partner in the intellectual property group of Wildman Harrold Allen & Dixon,and a Certified Information Privacy Professional (CIPP).